The performance of Clinical Risk Management activities in line with DCB0129 is a crucial and mandatory requirement of health and care technologies working in the NHS. When done well, DCB0129 can provide a risk management framework for your organisation which helps to mitigate patient safety risks whilst ensuring clinical oversight of the product development process. However, as with any clinical practice, the real learning following qualification, comes from performing the role on a daily basis.
This blog, a collaborative effort from the Clinical Safety and Regulatory teams at 8foldGovernance, shares the collective learning of over 30 years in Technology Risk Management and some of the common mistakes businesses can make when adopting this standard.
The NHS has long acknowledged that digital systems have the potential to cause harm when not developed and deployed properly. To manage this risk the NHS published two clinical safety standards, last updated in 2018, and incorporated into law through Section 250 of the Health and Social Care Act.
The standards, DCB0129 for manufacturers and DCB0160 for deploying organisations (both in health and social care) provide a structured approach to assessing and mitigating risks from digital systems, coordinated by a registered healthcare professional – the Clinical Safety Officer. An applicability guide accompanies both standards.
The DCB0129 is now an essential assessment as part of the NHS Digital Technology Assessment Criteria, a cornerstone of the NHS’s What Good Looks Like digitalisation guide for all health and social care providers, and one of nine overarching requirements for Digital Social Care Records.
When done well, the DCB0129 and DCB0160 risk management assessments combine to deliver a safer, better Health IT System. They are pivotal to the safety of health and social care IT systems and have provided standardised assessment criteria for over a decade. The role of the Clinical Safety Officer (CSO) in assessing the system and compiling the evidence to meet the standard is fundamental.
Based on our experience reviewing and compiling thousands of pages of DCB0129 documentation, these are 5 of the most common mistakes made when adopting DCB0129:
Lack of Top Management Support and Accountability
The DCB0129 Standard places considerable emphasis on “Top Management” responsibilities. It is clear that Top Management is integral to effectively assessing Health IT Systems safety. When Top Management commits and understands the necessity of the DCB0129 assessment, and risk management overall, the process can be relatively quick, help shape the product and ultimately deliver a higher quality product.
The reverse is true when there is a lack of complete buy-in. Any issues can take a protracted period to resolve as resources are not prioritised to ensure controls are put in place. The lack of resources, including time, money or expertise, results in compromises being made for immediate ease. This results in the risk management team constantly evaluating risks retrospectively, rather than horizon scanning for potential issues that could cause patient harm.
Tick box compliance
DCB0129 is a continual process rather than a one-off assessment. “One-off” assurance activities will satisfy an immediate need, but without ongoing maintenance, the DCB0129 becomes pointless. This is why we advocate for businesses to use it to consider their overall business and product risk management approach.
When done well, the CSO is embedded into the product development process as part of the risk management team. For Medical Device manufacturers, this may mean the CSO works closely with the Regulatory Team and has oversight of the Quality Management System processes for Risk Management. By embedding the CSO with the regulatory and product teams, this enables the Clinical Safety Case to be maintained, with up-to-date hazard logs and clinical safety case reports available to be disseminated to clients.
By not maintaining up to date DCB0129 documentation, this can often prevent CSO’s in the NHS from completing their DCB0160 assessments, meaning a prolonged procurement process and additional due diligence.
Siloed Compliance
One of the most common mistakes made by manufacturers is siloing DCB0129 documentation against the broader landscape of compliance requirements.
For example, Medical Devices as part of the Quality Management System, must comply with ISO 14971, the application of risk management to Medical Devices, and ISO 13485, the Quality Management System for Medical Devices. For the purposes of DCB0129, by considering each standard in isolation, this will mean repeating tasks and duplicating documentation leading to a waste of valuable resources and a misaligned appreciation of the system’s risk and controls. Find out more about how you can align DCB0129 with ISO 14971 here.
By aligning processes internally, including risk management plans, hazard logs, and risk assessments, and forming a central risk management file (or clinical safety case) from the outset, this will reduce the time outlay in the long run and result in a single version of the truth—critical in risk management.
Retrospective risk management
We often see organisations that are expected to perform retrospective risk management activities in line with DCB0129 which presents a number of issues for both the manufacturer and the deploying organisation.
For example, when risks are analysed on deployed systems, there is a skewed perception of what is a practicable control measure. Introducing a control on a function that has not been used is very different from restricting the ability of a function already rolled out. Where there is a limited amount of data, it is better to use the collective risk management team experience to determine the chances of the hazard occurring.
Whilst distributing a retrospective evaluation may not be received well by an NHS organisation, as the manufacturer could be communicating hazards it was unaware of, it is still a worthwhile exercise to assess product safety. No matter how problematic retrospectively completing an assessment is, not completing a DCB0129 clinical safety assessment risks missing issues that could cause preventable patient harm and ultimately end a commercial engagement
Lack of Clarity on transferred Hazards
There are three overarching purposes to a DCB0129 assessment:
- Give a clinical, patient-centred focus to hazard identification and controls
- Give Assurance to top management that the product is as safe as practicable within the system’s scope and intended use.
- Communicate the hazards that have not been controlled to the deploying organisation and the suggested controls the manufacturer has highlighted.
The Hazard Log and the Clinical Safety Case Report must communicate the hazards that have been highlighted that are still outside acceptable ranges – these will need a benefit-risk analysis to justify the residual risk. It must also communicate the transferred risks to the deploying organisation- i.e. the risks that are impossible to mitigate by the manufacturer, and the deploying organisation must put in control steps.
This will particularly be the case in highly tailorable systems. These systems appeal because the deploying organisation has more opportunity to use the system to suit their current workflows – however, in being highly adaptable, the likelihood of misuse or avoidable harm will increase.
Summary
Through appointing an experienced and competent CSO, suppliers will deliver a safer and overall better product. However, there are barriers that both the CSO and the manufacturer need to be aware of and remove to get the most out of the DCB0129 process. By thinking carefully about these common mistakes, and how to mitigate against them, organisations can prepare themselves more effectively to address this essential NHS compliance requirement providing customer assurance of your commitment to clinical safety.
We’re the experts that have your back.
Lets see how we can help you navigate DCB0129 or DCB0160 with market leading Clinical Risk Management